Add pod security policy (#343)

* Add pod security policy This adds pod security policy and seccompprofile. * Add one more pod security context * Move seccomProfile based on PR feedback
cockroachdb · Sep 20, 2023 · 7672b9f · 7672b9f
1 parent 79f844c
commit 7672b9f
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 1 deletion.
diff --git a/cockroachdb/Chart.yaml b/cockroachdb/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 name: cockroachdb
 home: https://www.cockroachlabs.com
-version: 11.1.7
+version: 11.2.0
 appVersion: 23.1.10
 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
 icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png

diff --git a/cockroachdb/templates/job-certSelfSigner.yaml b/cockroachdb/templates/job-certSelfSigner.yaml
@@ -30,6 +30,8 @@ spec:
     spec:
     {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -71,5 +73,11 @@ spec:
             value: {{ .Release.Namespace | quote }}
           - name: CLUSTER_DOMAIN
             value: {{ .Values.clusterDomain}}
+        {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
       serviceAccountName: {{ template "selfcerts.fullname" . }}
 {{- end}}
diff --git a/cockroachdb/templates/job-cleaner.yaml b/cockroachdb/templates/job-cleaner.yaml
@@ -27,6 +27,8 @@ spec:
     spec:
     {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -43,5 +45,11 @@ spec:
           env:
           - name: STATEFULSET_NAME
             value: {{ template "cockroachdb.fullname" . }}
+        {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
       serviceAccountName: {{ template "rotatecerts.fullname" . }}
 {{- end}}
diff --git a/cockroachdb/templates/job.init.yaml b/cockroachdb/templates/job.init.yaml
@@ -40,6 +40,8 @@ spec:
     {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
     {{- if and .Values.init.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         runAsGroup: 1000
         runAsUser: 1000
         fsGroup: 1000
@@ -72,6 +74,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+        {{- if and .Values.init.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
           volumeMounts:
             - name: client-certs
               mountPath: /cockroach-certs/
@@ -247,6 +255,12 @@ spec:
         {{- with .Values.init.resources }}
           resources: {{- toYaml . | nindent 12 }}
         {{- end }}
+        {{- if and .Values.init.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:  
+              drop: ["ALL"]
+        {{- end }}
     {{- if .Values.tls.enabled }}
       volumes:
         - name: client-certs

diff --git a/cockroachdb/templates/statefulset.yaml b/cockroachdb/templates/statefulset.yaml
@@ -65,6 +65,15 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+        {{- if .Values.statefulset.securityContext.enabled }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+        {{- end }}
           volumeMounts:
             - name: certs
               mountPath: /cockroach-certs/
@@ -354,6 +363,8 @@ spec:
       {{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
       {{- if and .Values.securityContext.enabled }}
       securityContext:
+        seccompProfile:
+          type: "RuntimeDefault"
         fsGroup: 1000
         runAsGroup: 1000
         runAsUser: 1000